C/C++ 实现远程代码注入
#include <windows.h>
#include <iostream>
#define STRLEN 20
typedef struct _DATA
{
DWORD dwLoadLibrary;
DWORD dwGetProcAddress;
DWORD dwGetModuleHandle;
DWORD dwGetModuleFileName;
char User32Dll[STRLEN];
char MessageBox[STRLEN];
char Str[STRLEN];
}DATA, *PDATA;
DWORD WINAPI RemoteThreadProc(LPVOID lpParam)
{
PDATA pData = (PDATA)lpParam;
//定义API函数原型
HMODULE (__stdcall *MyLoadLibrary)(LPCTSTR);
FARPROC (__stdcall *MyGetProcAddress)(HMODULE, LPCSTR);
HMODULE (__stdcall *MyGetModuleHandle)(LPCTSTR);
int (__stdcall *MyMessageBox)(HWND, LPCTSTR, LPCTSTR, UINT);
DWORD (__stdcall *MyGetModuleFileName)(HMODULE, LPTSTR, DWORD);
//对各函数地址进行赋值
MyLoadLibrary = (HMODULE (__stdcall *)(LPCTSTR))pData->dwLoadLibrary;
MyGetProcAddress = (FARPROC (__stdcall *)(HMODULE, LPCSTR))pData->dwGetProcAddress;
MyGetModuleHandle = (HMODULE (__stdcall *)(LPCTSTR))pData->dwGetModuleHandle;
MyGetModuleFileName = (DWORD (__stdcall *)(HMODULE, LPTSTR, DWORD))pData->dwGetModuleFileName;
//加载user32.dll
HMODULE hModule = MyLoadLibrary(pData->User32Dll);
//获得MessageBoxA的函数地址
MyMessageBox = (int (__stdcall *)(HWND, LPCTSTR, LPCTSTR, UINT))
MyGetProcAddress(hModule, pData->MessageBox);
char szModuleFileName[MAX_PATH] = {0};
MyGetModuleFileName(NULL, szModuleFileName, MAX_PATH);
MyMessageBox(NULL, pData->Str, szModuleFileName, MB_OK);
return 0;
}
void InjectCode(DWORD dwPid)
{
//打开进程并获取进程句柄
HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE,dwPid);
if(NULL== hProcess)
return;
DATA Data = {0};
//获取kernel32.dll中相关的导出函数
Data.dwLoadLibrary= (DWORD)GetProcAddress(GetModuleHandle("kernel32.dll"),"LoadLibraryA");
Data.dwGetProcAddress= (DWORD)GetProcAddress(GetModuleHandle("kernel32.dll"),"GetProcAddress");
Data.dwGetModuleHandle= (DWORD)GetProcAddress(GetModuleHandle("kernel32.dll"),"GetModuleHandleA");
Data.dwGetModuleFileName= (DWORD)GetProcAddress(GetModuleHandle("kernel32.dll"),"GetModuleFileNameA");
//需要的其他dll和导出函数
lstrcpy(Data.User32Dll,"user32.dll");
lstrcpy(Data.MessageBox,"MessageBoxA");
//提示字符串
lstrcpy(Data.Str,"Code Inject !!!");
//在目标进程中申请空间
LPVOID lpData = VirtualAllocEx(hProcess, NULL, sizeof(Data),
MEM_COMMIT,PAGE_EXECUTE_READWRITE);
DWORD dwWriteNum = 0;
WriteProcessMemory(hProcess,lpData, &Data,sizeof(Data), &dwWriteNum);
//在目标进程空间中申请用于保存代码的长度
WORD dwFunSize = 0x4000;
LPVOID lpCode = VirtualAllocEx(hProcess, NULL, dwFunSize,
MEM_COMMIT,PAGE_EXECUTE_READWRITE);
WriteProcessMemory(hProcess,lpCode,&RemoteThreadProc,
dwFunSize,&dwWriteNum);
HANDLE hThread = CreateRemoteThread(hProcess, NULL, 0,
(LPTHREAD_START_ROUTINE)lpCode,
lpData,0, NULL);
WaitForSingleObject(hThread,INFINITE);
CloseHandle(hThread);
CloseHandle(hProcess);
}
int GetProcessID(char *Name)
{
HWND Pid=::FindWindow(NULL,Name);
DWORD Retn;
::GetWindowThreadProcessId(Pid,&Retn);
return Retn;
}
int main()
{
int ppid;
ppid = ::GetProcessID("lyshark.exe");
InjectCode(ppid);
return 0;
}
文章出处:https://www.cnblogs.com/LyShark/p/11066070.html
本博客所有文章除特别声明外,均采用 BY-NC-SA 许可协议。转载请注明出处!
本博客所有文章除特别声明外,均采用 BY-NC-SA 许可协议。转载请注明出处!
【推荐】国内首个AI IDE,深度理解中文开发场景,立即下载体验Trae
【推荐】编程新体验,更懂你的AI,立即体验豆包MarsCode编程助手
【推荐】抖音旗下AI助手豆包,你的智能百科全书,全免费不限次数
【推荐】轻量又高性能的 SSH 工具 IShell:AI 加持,快人一步
· Linux系列:如何用 C#调用 C方法造成内存泄露
· AI与.NET技术实操系列(二):开始使用ML.NET
· 记一次.NET内存居高不下排查解决与启示
· 探究高空视频全景AR技术的实现原理
· 理解Rust引用及其生命周期标识(上)
· DeepSeek 开源周回顾「GitHub 热点速览」
· 物流快递公司核心技术能力-地址解析分单基础技术分享
· .NET 10首个预览版发布:重大改进与新特性概览!
· AI与.NET技术实操系列(二):开始使用ML.NET
· 单线程的Redis速度为什么快?